Merge branch 'chromium-update'.

Was about to open a new pull request about how to proceed with the BPF seccomp sandbox, but turns out that the Chromium security team not even has finished reviewing the legacy sandbox (http://crbug.com/26528, next time look at the date of the issue, shall we?), so it shouldn't make a big difference whether we enable the old seccomp sandbox or the new BPF one. Which of course won't make either of these options more secure and leaves us at the same state we had before, just with chrome://sandbox stating "NOT adequately sandboxed" which resembles the truth more closely.
2012-11-20 05:01:11 +01:00 · 2012-11-20 05:01:11 +01:00 · ba23852393
commit ba23852393
parent 38153d9105 a76e28b54c
4 changed files with 16 additions and 39 deletions
--- a/pkgs/applications/networking/browsers/chromium/default.nix
+++ b/pkgs/applications/networking/browsers/chromium/default.nix
@ -5,7 +5,7 @@
 , libevent, expat, libjpeg
 , libpng, libxml2, libxslt
 , xdg_utils, yasm, zlib
-, libusb1, libexif
+, libusb1, libexif, pciutils

 , python, perl, pkgconfig
 , nspr, udev, krb5
@ -84,13 +84,10 @@ let
    libusb1 libexif
  ];

-  maybeSeccompPatch = let
-    pre23 = versionOlder sourceInfo.version "23.0.0.0";
-  in optional pre23 ./enable_seccomp.patch;
+  post23 = !versionOlder sourceInfo.version "24.0.0.0";
+  post24 = !versionOlder sourceInfo.version "25.0.0.0";

-  maybeFixPulseAudioBuild = let
-    post23 = !versionOlder sourceInfo.version "24.0.0.0";
-  in optional (post23 && cfg.pulseaudio) (fetchurl {
+  maybeFixPulseAudioBuild = optional (post23 && cfg.pulseaudio) (fetchurl {
    url = http://archrepo.jeago.com/sources/chromium-dev/pulse_audio_fix.patch;
    sha256 = "1w91mirrkqigdhsj892mqxlc0nlv1dsp5shc46w9xf8nl96jxgfb";
  });
@ -120,7 +117,8 @@ in stdenv.mkDerivation rec {
    ++ optionals cfg.gnome [ gconf libgcrypt ]
    ++ optional cfg.selinux libselinux
    ++ optional cfg.cups libgcrypt
-    ++ optional cfg.pulseaudio pulseaudio;
+    ++ optional cfg.pulseaudio pulseaudio
+    ++ optional post24 pciutils;

  opensslPatches = optional cfg.openssl openssl.patches;

@ -128,7 +126,6 @@ in stdenv.mkDerivation rec {

  patches = optional cfg.cups ./cups_allow_deprecated.patch
         ++ optional cfg.pulseaudio ./pulseaudio_array_bounds.patch
-         ++ maybeSeccompPatch
         ++ maybeFixPulseAudioBuild;

  postPatch = optionalString cfg.openssl ''
--- a/pkgs/applications/networking/browsers/chromium/enable_seccomp.patch
+++ b/pkgs/applications/networking/browsers/chromium/enable_seccomp.patch
@ -1,20 +0,0 @@
-diff --git a/content/common/sandbox_linux.cc b/content/common/sandbox_linux.cc
-index d4618e5..108f846 100644
--- a/content/common/sandbox_linux.cc
-+++ b/content/common/sandbox_linux.cc
-@@ -38,15 +38,9 @@ void LogSandboxStarted(const std::string& sandbox_name) {
- // Implement the command line enabling logic for seccomp-legacy.
- bool IsSeccompLegacyDesired() {
- #if defined(SECCOMP_SANDBOX)
-#if defined(NDEBUG)
-  // Off by default; allow turning on with a switch.
-  return CommandLine::ForCurrentProcess()->HasSwitch(
-      switches::kEnableSeccompSandbox);
-#else
-   // On by default; allow turning off with a switch.
-   return !CommandLine::ForCurrentProcess()->HasSwitch(
-       switches::kDisableSeccompSandbox);
-#endif  // NDEBUG
- #endif  // SECCOMP_SANDBOX
-   return false;
- }
--- a/pkgs/applications/networking/browsers/chromium/sources.nix
+++ b/pkgs/applications/networking/browsers/chromium/sources.nix
@ -1,18 +1,18 @@
 # This file is autogenerated from update.sh in the same directory.
 {
  dev = {
-    version = "24.0.1312.2";
-    url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-24.0.1312.2.tar.bz2";
-    sha256 = "155l6sm76cp2vzmm673dnb0vcz7akrz6xfp6jsmaa1175h0yal6h";
+    version = "25.0.1323.1";
+    url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-25.0.1323.1.tar.bz2";
+    sha256 = "1i7ga1qhnjvnw2gynmpmsvvl5pxcb5z9sgldp87d9yalim5sra6s";
  };
  beta = {
-    version = "23.0.1271.60";
-    url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-23.0.1271.60.tar.bz2";
-    sha256 = "1xsa27ay37jls9jiwqn7wfsc4ag02qd316gszb226hp2vhfv6pf2";
+    version = "24.0.1312.14";
+    url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-24.0.1312.14.tar.bz2";
+    sha256 = "03w8cg4kqmpj82976ax9x6y275y9gcri4vc11cvfjp6r1issxzk8";
  };
  stable = {
-    version = "22.0.1229.94";
-    url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-22.0.1229.94.tar.bz2";
-    sha256 = "1bqwlgmn0dm1xvd6v52zf9gjmykgq4fnw7rancbplfpl3rl7xbx0";
+    version = "23.0.1271.64";
+    url = "http://commondatastorage.googleapis.com/chromium-browser-official/chromium-23.0.1271.64.tar.bz2";
+    sha256 = "1rzz08sgw07nkmvhhgyrkrcxj3z24lxbx0di6ky6jz3lshibp578";
  };
 }
--- a/pkgs/applications/networking/browsers/chromium/update.sh
+++ b/pkgs/applications/networking/browsers/chromium/update.sh
@ -1,6 +1,6 @@
 #!/bin/sh

-channels_url="http://omahaproxy.appspot.com/";
+channels_url="http://omahaproxy.appspot.com/all?csv=1";
 bucket_url="http://commondatastorage.googleapis.com/chromium-browser-official/";
 output_file="$(cd "$(dirname "$0")" && pwd)/sources.nix";